“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pen testers to use for manual security testing.”

Definitely. OWASP Zap tool is a penetration test tool for web applications. WAF configuration is just another layer of security to detect or block request that are identified by the selected OWASP rule sets. You should always design and implement your web app against cyber attacks such as sql injection and xss and test with the OWASP tool. And then you can test with WAF in front of it for added layer of security and/or monitoring.